From c46b5488413c07dd9e1c57a60095b8ab3abe73f3 Mon Sep 17 00:00:00 2001 From: Ilija Tovilo Date: Wed, 15 Oct 2025 21:17:43 +0200 Subject: [PATCH 1/2] Fix stale EG(opline_before_exception) pointer through eval Fixes GH-20183 --- Zend/tests/gh20183.phpt | 22 ++++++++++++++++++++++ Zend/zend_objects.c | 2 ++ 2 files changed, 24 insertions(+) create mode 100644 Zend/tests/gh20183.phpt diff --git a/Zend/tests/gh20183.phpt b/Zend/tests/gh20183.phpt new file mode 100644 index 0000000000000..354929efbbfb5 --- /dev/null +++ b/Zend/tests/gh20183.phpt @@ -0,0 +1,22 @@ +--TEST-- +GH-20183: Stale EG(opline_before_exception) pointer through eval +--FILE-- + +--EXPECTF-- +#0 %s(10): A->__destruct() + +Fatal error: Uncaught Error: Class "B" not found in %s:10 +Stack trace: +#0 {main} + thrown in %s on line 10 diff --git a/Zend/zend_objects.c b/Zend/zend_objects.c index af4d1f265897a..30ea22c8de44f 100644 --- a/Zend/zend_objects.c +++ b/Zend/zend_objects.c @@ -164,6 +164,7 @@ ZEND_API void zend_objects_destroy_object(zend_object *object) && ZEND_USER_CODE(EG(current_execute_data)->func->common.type)) { zend_rethrow_exception(EG(current_execute_data)); } + EG(current_execute_data)->opline = EG(opline_before_exception); old_exception = EG(exception); old_opline_before_exception = EG(opline_before_exception); EG(exception) = NULL; @@ -173,6 +174,7 @@ ZEND_API void zend_objects_destroy_object(zend_object *object) zend_call_known_instance_method_with_0_params(destructor, object, NULL); if (old_exception) { + EG(current_execute_data)->opline = EG(exception_op); EG(opline_before_exception) = old_opline_before_exception; if (EG(exception)) { zend_exception_set_previous(EG(exception), old_exception); From 5f3155f226220a77645c104dce19fb51c3a4675d Mon Sep 17 00:00:00 2001 From: Ilija Tovilo Date: Wed, 22 Oct 2025 00:57:34 +0200 Subject: [PATCH 2/2] Also fix generators --- Zend/tests/{gh20183.phpt => gh20183_001.phpt} | 0 Zend/tests/gh20183_002.phpt | 34 +++++++++++++++++++ Zend/zend_generators.c | 14 ++++++-- 3 files changed, 45 insertions(+), 3 deletions(-) rename Zend/tests/{gh20183.phpt => gh20183_001.phpt} (100%) create mode 100644 Zend/tests/gh20183_002.phpt diff --git a/Zend/tests/gh20183.phpt b/Zend/tests/gh20183_001.phpt similarity index 100% rename from Zend/tests/gh20183.phpt rename to Zend/tests/gh20183_001.phpt diff --git a/Zend/tests/gh20183_002.phpt b/Zend/tests/gh20183_002.phpt new file mode 100644 index 0000000000000..ec4d62d0960dc --- /dev/null +++ b/Zend/tests/gh20183_002.phpt @@ -0,0 +1,34 @@ +--TEST-- +GH-20183: Stale EG(opline_before_exception) pointer through eval +--CREDITS-- +Arnaud Le Blanc +--FILE-- +gen = gen(); + $this->gen->rewind(); + } +} + +B::$a = new A(); + +?> +--EXPECTF-- +#0 %s(20): gen() + +Fatal error: Uncaught Error: Class "B" not found in %s:20 +Stack trace: +#0 {main} + thrown in %s on line 20 diff --git a/Zend/zend_generators.c b/Zend/zend_generators.c index eeab16b9a1352..84b40cfdc21a3 100644 --- a/Zend/zend_generators.c +++ b/Zend/zend_generators.c @@ -317,9 +317,16 @@ static void zend_generator_dtor_storage(zend_object *object) /* {{{ */ ZEND_CALL_VAR(ex, ex->func->op_array.opcodes[try_catch->finally_end].op1.var); zend_generator_cleanup_unfinished_execution(generator, ex, try_catch->finally_op); - zend_object *old_exception = EG(exception); - const zend_op *old_opline_before_exception = EG(opline_before_exception); - EG(exception) = NULL; + + zend_object *old_exception = NULL; + const zend_op *old_opline_before_exception = NULL; + if (EG(exception)) { + EG(current_execute_data)->opline = EG(opline_before_exception); + old_exception = EG(exception); + old_opline_before_exception = EG(opline_before_exception); + EG(exception) = NULL; + } + Z_OBJ_P(fast_call) = NULL; Z_OPLINE_NUM_P(fast_call) = (uint32_t)-1; @@ -328,6 +335,7 @@ static void zend_generator_dtor_storage(zend_object *object) /* {{{ */ zend_generator_resume(generator); if (old_exception) { + EG(current_execute_data)->opline = EG(exception_op); EG(opline_before_exception) = old_opline_before_exception; if (EG(exception)) { zend_exception_set_previous(EG(exception), old_exception);